[SYNCOPE-1793] Enforce transactional read

apache · Dec 9, 2023 · c8abd05 · c8abd05
1 parent 6a6094d
commit c8abd05
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 6 deletions.
diff --git a/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java b/core/idrepo/logic/src/main/java/org/apache/syncope/core/logic/UserLogic.java
@@ -507,17 +507,17 @@ protected ProvisioningResult<UserTO> doDelete(
     }
 
     protected void updateChecks(final String key) {
-        User user = userDAO.authFind(key);
+        UserTO userTO = binder.getUserTO(key);
 
         Set<String> authRealms = RealmUtils.getEffective(
                 AuthContextUtils.getAuthorizations().get(IdRepoEntitlement.USER_UPDATE),
-                user.getRealm().getFullPath());
+                userTO.getRealm());
         userDAO.securityChecks(
                 authRealms,
-                user.getKey(),
-                user.getRealm().getFullPath(),
-                user.getMemberships().stream().
-                        map(m -> m.getRightEnd().getKey()).
+                userTO.getKey(),
+                userTO.getRealm(),
+                userTO.getMemberships().stream().
+                        map(MembershipTO::getGroupKey).
                         collect(Collectors.toSet()));
     }
 

diff --git a/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserIssuesITCase.java b/fit/core-reference/src/test/java/org/apache/syncope/fit/core/UserIssuesITCase.java
@@ -54,6 +54,7 @@
 import org.apache.syncope.common.lib.request.GroupCR;
 import org.apache.syncope.common.lib.request.MembershipUR;
 import org.apache.syncope.common.lib.request.PasswordPatch;
+import org.apache.syncope.common.lib.request.ResourceAR;
 import org.apache.syncope.common.lib.request.StringPatchItem;
 import org.apache.syncope.common.lib.request.StringReplacePatchItem;
 import org.apache.syncope.common.lib.request.UserCR;
@@ -68,19 +69,23 @@
 import org.apache.syncope.common.lib.to.ProvisioningResult;
 import org.apache.syncope.common.lib.to.RealmTO;
 import org.apache.syncope.common.lib.to.ResourceTO;
+import org.apache.syncope.common.lib.to.RoleTO;
 import org.apache.syncope.common.lib.to.UserTO;
 import org.apache.syncope.common.lib.types.AnyTypeKind;
 import org.apache.syncope.common.lib.types.CipherAlgorithm;
 import org.apache.syncope.common.lib.types.ClientExceptionType;
 import org.apache.syncope.common.lib.types.ExecStatus;
 import org.apache.syncope.common.lib.types.IdMImplementationType;
+import org.apache.syncope.common.lib.types.IdRepoEntitlement;
 import org.apache.syncope.common.lib.types.IdRepoImplementationType;
 import org.apache.syncope.common.lib.types.ImplementationEngine;
 import org.apache.syncope.common.lib.types.MappingPurpose;
 import org.apache.syncope.common.lib.types.PatchOperation;
 import org.apache.syncope.common.lib.types.PolicyType;
+import org.apache.syncope.common.lib.types.ResourceAssociationAction;
 import org.apache.syncope.common.rest.api.RESTHeaders;
 import org.apache.syncope.common.rest.api.beans.RealmQuery;
+import org.apache.syncope.common.rest.api.service.UserService;
 import org.apache.syncope.core.provisioning.api.serialization.POJOHelper;
 import org.apache.syncope.core.provisioning.java.propagation.DBPasswordPropagationActions;
 import org.apache.syncope.core.provisioning.java.propagation.GenerateRandomPasswordPropagationActions;
@@ -1610,4 +1615,23 @@ public void issueSYNCOPE1750() {
             assertTrue(e.getMessage().contains("InvalidPassword: Password must be 10 or more characters in length."));
         }
     }
+
+    @Test
+    public void issueSYNCOPE1793() {
+        RoleTO role = new RoleTO();
+        role.setKey("syncope1793" + getUUIDString());
+        role.getRealms().add(SyncopeConstants.ROOT_REALM);
+        role.getEntitlements().add(IdRepoEntitlement.USER_UPDATE);
+        role = createRole(role);
+
+        UserCR userCR = UserITCase.getUniqueSample("[email protected]");
+        userCR.getRoles().add(role.getKey());
+        UserTO userTO = createUser(userCR).getEntity();
+
+        UserService userService = CLIENT_FACTORY.create(userTO.getUsername(), "password123").
+                getService(UserService.class);
+        Response response = userService.associate(new ResourceAR.Builder().key(userTO.getKey()).
+                resource(RESOURCE_NAME_NOPROPAGATION).action(ResourceAssociationAction.ASSIGN).build());
+        assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
+    }
 }